netwire | 0x0009000000013a13-58[.]dat

Sharing

Copy URL Twitter E-mail

General

Target

0x0009000000013a13-58.dat
Size

227KB
MD5

a8edd52c5edfe91da90ebee24b51d3c6
SHA1

fc36350b93c6974865eaa7f00a98fa281d1ff7fd
SHA256

35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d
SHA512

97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14
SSDEEP

6144:mdCAOLZ7r6xhdyJLkEatq0YE2f6rD9Z7vIDECbUn1ItN6pQ/EjMqqDeMln:fAwZixvy9YaY1ItAy2q

Score

10^/10

rat netwire

Malware Config

Signatures

NetWire RAT payload 1 IoCs

rat

resource	yara_rule
sample	netwire

Netwire family
netwire

Files

0x0009000000013a13-58.dat
.exe windows x86

957af43b31a03460efad0608582c3e24

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

advapi32

CryptAcquireContextA
CryptCreateHash
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptReleaseContext
GetUserNameW
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA

crypt32

CryptUnprotectData

gdi32

BitBlt
CreateCompatibleBitmap
CreateCompatibleDC
DeleteDC
DeleteObject
GetDIBits
GetDeviceCaps
SelectObject

kernel32

CloseHandle
CreateDirectoryW
CreateFileW
CreateMutexA
CreatePipe
CreateProcessA
CreateToolhelp32Snapshot
DeleteCriticalSection
DeleteFileW
EnterCriticalSection
ExitProcess
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FreeLibrary
GetCommandLineA
GetCommandLineW
GetComputerNameW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDiskFreeSpaceExA
GetDriveTypeA
GetFileAttributesExW
GetFileAttributesW
GetLastError
GetLocalTime
GetLogicalDriveStringsA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetProcessTimes
GetStartupInfoA
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount
GetVersionExA
GetVolumeInformationA
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
LocalFree
MoveFileW
MultiByteToWideChar
OpenProcess
PeekNamedPipe
Process32First
Process32Next
QueryPerformanceCounter
ReadFile
ReleaseMutex
ResumeThread
SetErrorMode
SetFileAttributesW
SetFilePointer
SetUnhandledExceptionFilter
Sleep
TerminateProcess
TlsGetValue
UnhandledExceptionFilter
VirtualProtect
VirtualQuery
WideCharToMultiByte
WriteFile

msvcrt

__dllonexit
__getmainargs
__initenv
__lconv_init
__set_app_type
__setusermatherr
_acmdln
_amsg_exit
_assert
_beginthreadex
_cexit
_errno
_exit
_filelengthi64
_fileno
_fmode
_fpreset
_initterm
_iob
_lock
_mkdir
_onexit
_snwprintf
_stat
_unlock
_utime
_vscprintf
_vsnprintf
_wfopen
atexit
calloc
exit
fclose
feof
ferror
fflush
fgetpos
fgets
fopen
fprintf
fread
free
freopen
fseek
fsetpos
ftell
fwprintf
fwrite
getenv
localtime
malloc
memcmp
memcpy
memset
mktime
raise
realloc
remove
signal
sprintf
strcat
strchr
strcmp
strcpy
strlen
strncmp
strncpy
time
vfprintf
wcscat
wcscmp
wcscpy

netapi32

NetApiBufferFree
NetWkstaGetInfo

ole32

CoCreateInstance
CoInitialize

shell32

CommandLineToArgvW
SHFileOperationW
ShellExecuteA
ShellExecuteW

shlwapi

StrToIntA

user32

CreateWindowExW
DefWindowProcW
DispatchMessageA
EnumWindows
GetDC
GetDesktopWindow
GetForegroundWindow
GetKeyNameTextW
GetKeyState
GetKeyboardState
GetLastInputInfo
GetMessageW
GetSystemMetrics
GetWindowTextW
IsWindowVisible
MapVirtualKeyW
MessageBoxW
PostQuitMessage
RegisterClassExW
ReleaseDC
SendMessageA
SendMessageW
SetCursorPos
SetWindowTextW
ShowWindow
ToUnicode
TranslateMessage
keybd_event
mouse_event

ws2_32

WSACleanup
WSAGetLastError
WSAIoctl
WSAStartup
__WSAFDIsSet
closesocket
connect
gethostbyname
htons
inet_ntoa
ioctlsocket
ntohs
recv
select
send
setsockopt
shutdown
socket

Sections

.text
Size: 166KB - Virtual size: 166KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 45KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.eh_fram
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 26KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 52B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

957af43b31a03460efad0608582c3e24

Headers

File Characteristics

Imports

advapi32

crypt32

gdi32

kernel32

msvcrt

netapi32

ole32

shell32

shlwapi

user32

ws2_32

Sections

.text Size: 166KB - Virtual size: 166KB

.data Size: 2KB - Virtual size: 2KB

.rdata Size: 45KB - Virtual size: 45KB

.eh_fram Size: 4KB - Virtual size: 3KB

.bss Size: - Virtual size: 26KB

.idata Size: 6KB - Virtual size: 6KB

.CRT Size: 512B - Virtual size: 52B

.tls Size: 512B - Virtual size: 32B

.text
Size: 166KB - Virtual size: 166KB

.data
Size: 2KB - Virtual size: 2KB

.rdata
Size: 45KB - Virtual size: 45KB

.eh_fram
Size: 4KB - Virtual size: 3KB

.bss
Size: - Virtual size: 26KB

.idata
Size: 6KB - Virtual size: 6KB

.CRT
Size: 512B - Virtual size: 52B

.tls
Size: 512B - Virtual size: 32B